Professional Documents
Culture Documents
Cisco CCNA Security Chapter 1
Cisco CCNA Security Chapter 1
Security Threats
Purpose of Security
To protect assets!
Historically done through physical security and closed networks.
Threats
There are four primary classes of threats to network security:
Unstructured threats
Structured threats
External threats
Internal threats
Evolution of
Network
Security
10
Morris Worm
The Morris worm or Internet worm
11
Morris Worm
According to Morris, the worm was not written to cause damage,
12
Good Thing?
The Morris worm prompted DARPA to fund the establishment of
13
14
15
16
victim host.
In the earlier variant of the worm, victim hosts experienced the following
defacement on all pages requested from the server:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
Day 1 - 19: The infected host will attempt to connect to TCP port 80 of
randomly chosen IP addresses in order to further propagate the worm.
Day 20 - 27: A packet-flooding denial of service attack will be launched
against a particular fixed IP address.
Day 28 - end of the month: The worm "sleeps"; no active connections or
denial of service.
17
How is it stopped?
Although the worm resides entirely in memory, a reboot of the
18
19
20
New Threats
21
22
Drivers for
Network
Security
23
Hacker Titles
Phreaker
Spammer
Phisher
24
Evolution of Hacking
1960s - Phone Freaks (Phreaks)
1980s - Wardialing (WarGames)
1988
- Internet Worm
1993
2002
25
Security firsts
26
27
First Worm
Robert Morris created the first Internet worm with 99 lines of
code.
When the Morris Worm was released, 10% of Internet systems were brought
to a halt.
28
First SPAM
29
30
Mafiaboy
In 2001, The Montreal Youth Court
appearances.
31
32
substantial liability.
http://en.wikipedia.org/wiki/Information_security#Laws_and_regulations
33
34
Network
Security
Organizations
35
are:
Computer Emergency Response Team (CERT)
SysAdmin, Audit, Network, Security (SANS) Institute
International Information Systems Security Certification Consortium
(pronounce (ISC)2 as "I-S-C-squared")
36
US-CERT
37
SANS
38
ISC2
39
Network
Security Polices
and Domains
40
41
42
Security Policy
43
Cisco SecureX
This architecture includes the following five major components:
Scanning Engines Network level devices that examine content, authenticate
users, and identify applications. They can include firewall/IPS, proxy or a
fusion of both.
Delivery Mechanisms The way the scanning engine is implemented in the
network. It can be via a standalone appliance, a blade in a router, or a
software package.
Security Intelligence Operations (SIO) A traffic monitoring database, used to
identify and stop malicious traffic.
Policy Management Consoles Policy creation and management that
determines what actions the scanning engines will take.
Next-generation Endpoint Any variety of devices. All traffic to or from these
devices are pointed to a scanner.
44
Security Policy
45
Malware /
Malicious Code
46
Types of Attacks
There are four categories of attacks:
Malicious Code: Viruses, Worms and Trojan Horses
Reconnaissance Attacks
Access Attacks
Denial of Service (DoS) Attacks
47
Malware
Malicious software is software designed to infiltrate a computer
48
Spyware
Spyware is a strictly for-profit category of malware designed to:
Monitor a users web browsing.
Display unsolicited advertisements.
Redirect affiliate marketing revenues to the spyware creator.
49
wrote them for the sole purpose that they could or to see how far
it could spread.
In some cases the perpetrator did not realize how much harm their creations
could do.
50
51
52
Viruses
A computer virus is a malicious computer program (executable
file) that can copy itself and infect a computer without permission
or knowledge of the user.
A virus can only spread from one computer to another by:
Sending it over a network as a file or as an email payload.
Carrying it on a removable medium.
53
Viruses
Some viruses are programmed to damage the computer by
54
Worms
Worms are a particularly dangerous type of hostile code.
They replicate themselves by independently exploiting vulnerabilities in
networks.
Worms usually slow down networks.
55
56
Anatomy of a Worm
The enabling vulnerability
A worm installs itself using an exploit vector on a vulnerable system.
Propagation mechanism
After gaining access to devices, a worm replicates and selects new targets.
Payload
Once the device is infected with a worm, the attacker has access to the host
often as a privileged user.
Attackers could use a local exploit to escalate their privilege level to
administrator.
57
Trojan Horses
58
59
Trojan Horse
A Trojan horse is a program that appears, to the user, to perform
60
61
Penetrate phase:
Exploit code is transferred to the vulnerable target.
Goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow,
ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus.
Persist phase:
After the attack is successfully launched in the memory, the code tries to persist on the target system.
Goal is to ensure that the attacker code is running and available to the attacker even if the system reboots.
Achieved by modifying system files, making registry changes, and installing new code.
Propagate phase:
The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines.
Propagation vectors include emailing copies of the attack to other systems, uploading files to other systems
using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat.
Paralyze phase:
Actual damage is done to the system.
Files can be erased, systems can crash, information can be stolen, and distributed DDoS attacks can be
launched.
62
Exploit Comparison
63
Commonalities
A majority of the software vulnerabilities that are discovered relate
to buffer overflows.
Buffer overflows are usually the primary conduit through which viruses,
worms, and Trojan Horses do their damage.
buffer overflows.
A root buffer overflow is intended to attain root privileges to a system.
Worms such as SQL Slammer and Code Red exploit remote root
buffer overflows.
Remote root buffer overflows are similar to local root buffer overflows, except
that local end user or system intervention is not required.
64
65
anti-virus software.
For total protection, host-based intrusion prevention systems (HIPS), such as
Cisco Security Agent should also be deployed.
HIPS protects the OS kernel.
66
67
Worms - Mitigation
Containment Phase:
Limit the spread of a worm infection to areas of the network that are already
affected.
Compartmentalize and segment the network to slow down or stop the worm to
prevent currently infected hosts from targeting and infecting other systems.
Use both outgoing and incoming ACLs on routers and firewalls at control
points within the network.
Inoculation Phase:
Runs parallel to or subsequent to the containment phase.
All uninfected systems are patched with the appropriate vendor patch for the
vulnerability.
The inoculation process further deprives the worm of any available targets.
68
Worms - Mitigation
Quarantine Phase:
Track down and identify infected machines within the contained areas and
disconnect, block, or remove them.
This isolates these systems appropriately for the Treatment Phase.
Treatment Phase:
Actively infected systems are disinfected of the worm.
Terminate the worm process, remove modified files or system settings that the
worm introduced, and patch the vulnerability the worm used to exploit the
system.
In more severe cases, completely reinstalling the system to ensure that the
worm and its by products are removed.
69
not block UDP port 1434 because it was required to access the
SQL Server for legitimate business transactions.
Permit only selective access to a small number of clients using SQL Server.
70
Reconnaissance
Attacks
71
Types of Attacks
There are four categories of attacks:
Malicious Code: Viruses, Worms and Trojan Horses
Reconnaissance Attacks
Access Attacks
Denial of Service (DoS) Attacks
72
Reconnaissance
Reconnaissance also known as information gathering is the
73
74
at a time.
Response received indicates whether the port is used and can therefore be
probed for weakness.
75
76
Packet Sniffing
A packet sniffer is a software application that uses a network
77
Packet Sniffing
Some network applications (FTP, Telnet, TFTP, SNMP, )
78
Access Attacks
79
Types of Attacks
There are four categories of attacks:
Malicious Code: Viruses, Worms and Trojan Horses
Reconnaissance Attacks
Access Attacks
Denial of Service (DoS) Attacks
80
Access Attacks
Access attacks exploit known vulnerabilities in authentication
81
Access Attacks
Access attacks can be performed in a number of different ways,
including:
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle attacks
Buffer overflow
82
Password Attacks
Hackers implement password attacks using the following:
Brute-force attacks
Trojan horse programs
IP spoofing
Packet sniffers
83
Dictionary cracking
Brute-force computation
84
Trust Exploitation
Trust exploitation refers to an individual taking advantage of a
85
Trust Exploitation
Another example of trust exploitation is a Demilitarized Zone
(DMZ) host that has a trust relationship with an inside host that is
connected to the inside firewall interface.
The inside host trusts the DMZ host.
When the DMZ host is compromised, the attacker can leverage that trust
relationship to attack the inside host.
86
Trust Exploitation
A hacker leverages existing trust relationships.
Several trust models exist:
Windows:
Domains
Active directory
NIS
NIS+
87
Port Redirection
A port redirection attack is a type of trust exploitation attack that
88
Port Redirection
89
Man-in-the-Middle Attacks
Man-in-the-middle attacks have these purposes:
Theft of information
Hijacking of an ongoing session to gain access to your internal network
resources
Traffic analysis to obtain information about your network and network users
DoS
Corruption of transmitted data
Introduction of new information into network sessions
working for your ISP gains access to all network packets that
transfer between your network and any other network.
90
DoS Attacks
91
Types of Attacks
There are four categories of attacks:
Malicious Code: Viruses, Worms and Trojan Horses
Reconnaissance Attacks
Access Attacks
Denial of Service (DoS) Attacks
92
93
DoS Attacks
94
Ping of death
Legacy attack that sent an echo request in an IP packet larger
95
Smurf Attack
This attack sends a large number of ICMP requests to directed
96
Smurf Attack
97
address.
Each packet is handled like a connection request, causing the server to
spawn a half-open (embryonic) connection by sending back a TCP SYN-ACK
packet and waiting for a packet in response from the sender address.
However, because the sender address is forged, the response never comes.
These half-open connections saturate the number of available connections
the server is able to make, keeping it from responding to legitimate requests
until after the attack ends.
98
DDoS
99
100
101
102
103
Mitigating
Attacks
104
105
106
107
Cryptography
If a communication channel is cryptographically secure, the only data a
packet sniffer detects is cipher text.
Anti-sniffer tools
Antisniffer tools detect changes in the response time of hosts to determine
whether the hosts are processing more traffic than their own traffic loads
would indicate.
Switched infrastructure
A switched infrastructure obviously does not eliminate the threat of packet
sniffers but can greatly reduce the sniffers effectiveness.
108
109
110
Man-in-the-Middle Mitigation
Man-in-the-middle attacks can be effectively mitigated only
A man-in-the-middle attack
can only see cipher text
IPSec tunnel
Host A
Router A
ISP
Host B
Router B
111
112
113
114
10 Best Practices
1. Keep patches up to date by installing them weekly or daily, if
115
10 Best Practices
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and
116
Thinking Like a
Hacker
117
118
Hacking a Network
The goal of any hacker is to compromise the intended target or
application.
Hackers begin with little or no information about the intended
target.
Their approach is always careful and methodicalnever rushed
119
120
121
proprietary documents).
Minimize the amount of information on your public website.
Examine your own website for insecurities.
Run a ping sweep on your network.
Familiarize yourself with one or more of the five Regional Internet
122
123
Software Tools
A great deal of hacker tools are available:
Netcat: Netcat is a featured networking utility that reads and writes data
across network connections using the TCP/IP protocol.
Microsoft EPDump and Remote Procedure Call (RPC) Dump: These tools
provide information about Microsoft RPC services on a server:
The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC
endpoints for status and other information on RPC.
GetMAC: This application provides a quick way to find the MAC (Ethernet)
layer address and binding order for a computer running Microsoft
Windows 2000 locally or across a network.
Software development kits (SDKs): SDKs provide hackers with the basic tools
that they need to learn more about systems.
124
125
Dumpster diving
Recommended reading:
126
127
128
129
130
131
Password Cracking
Hackers use many tools and techniques to crack passwords:
Word lists
Brute force
Hybrids
The yellow Post-It stuck on the side of the monitor, or in top of desk drawer
132
the host:
Files containing user names and passwords
Registry keys containing application or user passwords
Any available documentation (for example, e-mail)
If the host cannot be seen by the hacker, the hacker may launch a
133
applications.
Hackers gain administrative access to all computers by cross-
134
Port redirectors:
Port redirectors can help bypass port filters, routers, and firewalls and may
even be encrypted over an SSL tunnel to evade intrusion detection devices.
135
in the network.
Reverse trafficking lets hackers bypass security mechanisms.
Trojans let hackers execute commands undetected.
Scanning and exploiting the network can be automated.
The hacker remains behind the cover of a valid administrator
account.
The whole seven-step process is repeated as the hacker
136
137
Cisco Network
Foundation
Protection (NFP)
138
areas:
Control Plane - Responsible for routing data correctly. Consists of devicegenerated packets required for the operation of the network itself such as
ARP message exchanges or OSPF routing advertisements.
Management Plane - Responsible for managing network elements.
Generated either by network devices or network management stations using
processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP,
syslog, TACACS+, RADIUS, and NetFlow.
Data Plane (Forwarding Plane) - Responsible for forwarding data. Consists of
user-generated packets being forwarded between end stations. Most traffic
travels through the router, or switch, via the data plane.
139
140
accessibility.
Present legal notification developed by legal counsel of a
corporation.
Ensure the confidentiality of data by using management protocols
access.
141
142
143